Tools for Merging, Selecting, Viewing, and Interpreting
Audit Records

Solaris BSM provides two tools that allow you to merge, select, view, and interpret
audit records. The tools can be used directly or in conjunction with third-party application
programs.

The auditreduce command allows you to choose sets of
records to examine. For instance, you can select all records from the past 24 hours to
generate a daily report; you can select all records generated by a specific user to examine
that user's activities; or you can select all records caused by a specific event type to
see how often that type occurs.

The praudit command allows you to display
audit records interactively and create very basic reports. praudit displays
records in one of several human-readable but otherwise non-interpreted forms. You may accomplish
more sophisticated display and reporting by postprocessing the output from praudit (with sed or awk, for instance) or by
writing programs that interpret and process the binary audit records.

The following sections describe the audit record format, the praudit,
and auditreduce commands in more detail, and provide some hints and
procedures for using the tools.